Block wp-login and xmlrpc brute force attacks with CSF / DirectAdmin

csf firewall have system to give user unblocked by himself.
it's call "Messenger Service", will integrate with google recaptcha.

please.... Setup it yourself. becarefully, it will be break change with some webserver. ..etc.. ,
I have done everything with Google reCAPTCHA

but I am not getting reCAPTCHA i am getting this message when my ip is ban
Code:
This site can’t be reachedThe webpage at https://mydomain.com/ might be temporarily down or it may have moved permanently to a new web address.
ERR_TUNNEL_CONNECTION_FAILED
any idea ?
 
I have been recently under wp-login brute force attack, I enabled this rule for blocking IP after 5 attempts and helped a lot to counter the attack. However, this rule doesn't know if request to wp-login.php was failure or success. It means that even if client successfully logged in but he does that 5 times (could be multiple user from same internet connection) then also he will be blocked. This is exactly I am facing, some of the users are being blocked as multiple users are logged in from same IP and boom, IP is blocked.

.htaccess protection is good but can't be done for each user as there lots of WP installation. Is there any other strategy where I can handle this issue without blocking legit users ?
 
I have a different custom regexp, which you might use. Mine is this:
Code:
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Unauthorized",$1,"WPLOGINorWHATEVER","10","80,443","14400");

However as you see this is also checking code 200 which is in fact an OK, so successful login. You could try to change it to only look for the unauthorized by leaving the 200 out.
Code:
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (401)/)) {
    return ("Unauthorized",$1,"WPLOGINorWHATEVER","10","80,443","14400");
I hope the regexp is still correct like this. Change the limits/block to your own needs.
 
401 - unauthorized will not work here as its server side errors, if you open wp-login.php and provide wrong credentials, it still returns 200 as from the point of server right page is served , but from point of view of WP its login error. Hence, I don't think this way we can assess if its login failure or not.
 
Well as said I hoped it worked, because I never tested it. Seems not to work then. If no 401 is given but always a 200 then that's bit of an issue indeed.
You could rais the amount of checks to 10 like I did. This gives both the user but also the hacker more attempts before being blocked.

Another option is to use the WP Login BFM of DA itself and then you can setup the time in which DA's BFM looks into the apache logs for logins.
There's also an idea to create a custom counter.

Have a look at this, maybe you can use it some way:
 
@Richard G , you are missing the point here, 401 is given only when there is access related issue at server level, not at application level. The authentication failure occurring at application level (WP) .

Besides, I have come to ask here only after researching, have been thoroughly to link you gave, it itself says:
IMPORTANT: Note that apache does not know if a wp-login.php entry was a login failure or not.. All it knows is that a POST was made to the wp-login.php file. Because of this, the Brute Force Monitor considers each POST access to wp-login.php a failed login, even if the correct password was used. Keep this fact in mind when deciding on your IP block limit.

Hence I came here to ask if there could be any other strategy for now as currently legit users are also being blocked. For time being I have increased login-failure threshold but its not proper solution.
 
you are missing the point here, 401 is given only
No I don't. See my text. I just confirmed your answer that it would always give a 200 which would indeed still cause an issue.

But from the link I gave, I specifically stated to have a look at the timing the logs are scanned and the option to create a custom login counter.
Possible To-Do: Create a separate login counter max value for these types of logins, as the "failed" count doesn't really apply, logically.
If you could combine this in, for example set a check to 5 logins in 5 minutes or 10 logins in 5 minutes, that is something normal users wouldn't do that quick normally and less chance for legit users to be banned.
True, that's also a kind of threshold. But this is in fact not a DA problem or issue.

The authentication failure occurring at application level (WP) .
Hence WP should fix that it will give proper failure notices to apache by default.

As a last idea from my side, there is an option to create some script to get proper apache logs outputs it seems.
it's a plugin.

I presume what you need would be something which you can use serverwide like this. Maybe somebody knows how to create something like this server wide.
But the proper solution would be to address this at WP so they would thrown out these messages by default.
 
As a last idea from my side, there is an option to create some script to get proper apache logs outputs it seems.
it's a plugin.

I presume what you need would be something which you can use serverwide like this. Maybe somebody knows how to create something like this server wide.
But the proper solution would be to address this at WP so they would thrown out these messages by default.
This is nice idea, I can actually do that with softaculous to give that plugin during installation , will require some trial and testing. I have doubt though if it can actually log it to server error log. Anyways, will do in couple of days, hopefully will share results here.
 
When you say you've enabled this rule, are you referring to CSF?
I enabled this rule for blocking IP after 5 attempts and helped a lot to counter the attack.

If you're having trouble with users tripping this threshold, make the number much larger than 5. WHen you say I am under attack, are you talking about your clients or you individually?

If it's just your site, you have a number of options, including WP brute force plug ins.


Or you could hide the location of the login:

 
When you say you've enabled this rule, are you referring to CSF?


If you're having trouble with users tripping this threshold, make the number much larger than 5. WHen you say I am under attack, are you talking about your clients or you individually?

If it's just your site, you have a number of options, including WP brute force plug ins.


Or you could hide the location of the login:

Server is under attack.

If it was issue with one WP installation, I always change wp-login location first and pretty other things. But for your end users, its not possible to go each one and ask them to install such plugins.
 
Fail2ban watches the logs and takes action based on the settings you have set up. And its expandable. You can write your own rules as you see fit. I cannot tell you the difference between fail2ban and CSF because as I said "I use fail2ban" meaning I do not use CSF so therefore cannot tell you how it works.
 
CSF is Firewall and fail2ban is a plain Intrusion Detection Service.
CSF includes a brute force protection daemon, very similar to fail2ban.
CSF also read logs and blocks on different sets of rules.


I would say if you use CSF you dont need fail2ban anymore, and CSF does a lot more. Together with ModSecurity for custom rules you can handle almost all scenarios.

Here a similar thread: https://forum.directadmin.com/threads/what-to-use-csf-lfd-or-fail2ban-or-both.65310/
 
Last edited:
CSF is Firewall and fail2ban is a plain Intrusion Detection Service.
CSF includes a brute force protection daemon, very similar to fail2ban.
CSF also read logs and blocks on different sets of rules.


I would say if you use CSF you dont need fail2ban anymore, and CSF does a lot more. Together with ModSecurity for custom rules you can handle almost all scenarios.

Here a similar thread: https://forum.directadmin.com/threads/what-to-use-csf-lfd-or-fail2ban-or-both.65310/
Thank You very much for detailed explanation, i checked i didn't have installed/configure ModSecurity now i have installed as per default configuration on DirectAdmin documentation, https://docs.directadmin.com/webservices/apache/modsecurity.html would you like me to suggest something that can optimize my server as my threshold is 10 (is it okay or i have to change threshold) and my server always notify me on daily bases i have 500 website and server specification is
10 vCPU Cores
60 GB RAM
1.6 TB SSD

i heard on forum people have 5000+ sites on same server I wonder how is it possible
thanks in advance
 
i heard on forum people have 5000+ sites on same server I wonder how is it possible
thanks in advance
with such tech specs - you can handle 5000 websites only if they all in one template/engine and using adapted caching etc. or if they all static.
 
with such tech specs - you can handle 5000 websites only if they all in one template/engine and using adapted caching etc. or if they all static.
No they are random sites like WordPress WooCommerce Laravel NodeJs etc. what do you think how much i can host in this spec ? and what should be my threshold for server load in your opinion ? and what specification do you think should i have for holding 5000+ dynamic sites
 
for fast response websites - server load must be less than core count (for google metrics etc.)
if websites just must work - it can be any while web-server still accessible ;)
I'm prefer to keep load less than 1/4 of core count.
Great impact from disks - raid ssd or nvme now allows to keep website response fast even when CPU high loaded.
-----
much you can host in this spec - I think you must already start optimizing/caching php/mysql/apache/nginx etc. because LA 10 with 10 cores - it's not good, try to decrease it to LA 5-6 or less.
 
because LA 10 with 10 cores - it's not good,
There is something that is important to know:
10 vCPU Cores
Those are not dedicated cores and it looks like this is an VPS and not bare metal server.

BTW, is your VPS provider Contabo? they have the same plans as your VPS specs
If it is Contabo than its quite normal because you never get the real performance as they advertise
 
Those are not dedicated cores and it looks like this is an VPS and not bare metal server.
I know, thats why they named vCPU (virtualCPU=spherical horse in vacuum) but it will be throttled same way as real cores when LA higher than CPU count.. But with bare-metal there comes some financial issues, minus flexibility. And for 27$/mo he can't rent dedicated with equal specs.
 
But with bare-metal there comes some financial issues, minus flexibility. And for 27$/mo he can't rent dedicated with equal specs.
This is what I am meaning , maybe the OP thinks that the cores are dedicated and assumes that he can host many (heavy) sites but that is not true here .
As said if this an Contabo box dont expect high performance with 500+ sites on one single VPS.
 
Back
Top